SES full access to ambiguous

  • Resolved Mike Wiegand

    (@mikeg_de)


    4 years, 11 months ago

    Hi,

    when multiple domains or email addresses, even for foreign domains / customers are managed in SES, they are all listed. Full SES access introduces a sever security risk, though.

    I tried locking down access but w/o full SES permissions the plugin won’t validate the setup.

    How can this be adjusted to improve security?

    Thanks in advance
    Mike

Viewing 6 replies - 1 through 6 (of 6 total)

  • I solved this problem by looking through the plugin php. It uses: ses:SendRawEmail, ses:VerifyEmailIdentity, ses:GetSendQuota, ses:GetIdentityVerificationAttributes, ses:ListIdentities, ses:VerifyDomainIdentity, ses:DeleteIdentity.

    Because my identity is used through another application I left off ses:DeleteIdentity to prevent something catastrophic happening in the worst case. If you verify through AWS console, I would imagine you could also leave out: ‘ses:VerifyEmailIdentity’.

    • This reply was modified 4 years, 10 months ago by dominikbot.
    Thread Starter Mike Wiegand

    (@mikeg_de)

    Thanks @dominikbot

    @deliciousbrains is there any chance to adjust the plugin to improve the security?

    Kind regards
    Mike

    No problem @mikeg_de

    I realize your question wasn’t directed to me, but I don’t think there is a security issue. The real solution is to restrict the permissions to a subset of the ones I listed above in the IAM policy maker. I understand this is probably asking a lot from people who aren’t AWS enthusiasts, but I don’t think the application uses anything it doesn’t really need.

    Thread Starter Mike Wiegand

    (@mikeg_de)

    No worries, appreciate that someone replied at least.

    Just as a note, I have created distinct IAM users. Without setting up AWS organizations or separate accounts, I do not see a chance to resolve it.

    Or did I understood you incorrectly @dominikbot?

    It’s fine to just use IAM users, that’s what they are there for. You can restrict the IAM user to only use the specific resource with the specific permissions you want. As an example, here is the policy I attached to my IAM user that only deals with this plugin:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:<rest-of-arn-here>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ses:GetSendQuota",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities"
            ],
            "Resource": "*"
        }
    ]
}

    Does that answer your question? Note to any people who copy this. This policy will only work for you if you verify a domain or email identity in the ses console first, then paste the arn into the first resource slot.

    • This reply was modified 4 years, 10 months ago by dominikbot. Reason: formatting
    Thread Starter Mike Wiegand

    (@mikeg_de)

    Splendid! Now I am with you. Couldn’t empathize what you wrote to the actual IAM JSON role definition.

    Five stars for @dominikbot!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘SES full access to ambiguous’ is closed to new replies.

Tags